ls -l: What happens behind the scenes?

A step by step explanation of what happens when you type ls -l and hit Enter in a shell


The first interaction that occurs is the printing of a prompt. The prompt is a combination of specific characters that when displayed, the system is ready to receive a command. Usually, the shell prompt ends with the “$” character. Also, in the Shell the prompt is usually followed by the blinking cursor, signifying that it is waiting for the user to input characters.

Get line

When a command is entered, the keyboard drivers will interpret this and send it to the system where the process of command recognition will begin. On success of obtaining the user input, the next step is to correspond it to an executable program. On failure, the error message will be output — but either way something, somewhere will happen. The string passed by the user will be saved as a buffer and the system will carry out actions to begin the interpretation process.


Is it an alias…

An alias in this context means the same as it does in the common usage of this word.

..or a built-in function?

Built-ins are specific functions that are executed directly by the shell without the need of invoking another program or beginning a separate process.

Then it has to be in the PATH!

The next step is to search for the executable file within the environment variable PATH ($PATH). This environment variable stores a set of directories where executable files are located. Every route is separated by “:”.

Ready, Set, EXECUTE!

So, the user input was obtained, interpreted, and the program it corresponds to was located. Now, it is time to execute it.


In order to execute a program, the shell has to duplicate itself and execute the program on a parallel process.

  • An erroneous command will cause the entire shell to stop working. We want to avoid this.
  • Independent commands should have their own process blocks in order for the process to be traceable and to maintain the program working in a loop returning to the prompt after executing the command instead of finishing the program.


To be able to duplicate create a parallel process, the shell uses the system call fork.

Can you execute the program already!?

The program route is passed to the execve() syscall that executes the program and shows the output on the screen, whether it succeeds or fails.

So… is that it?

Well yes, this is certainly it! This is the whole process the shell carries out when a command is prompt by the user. This happens in milliseconds, and the user sees the output almost immediately, yet what happens backstage is a lot, isn’t it?

ls -l

By itself, ls lists the files in the current working directory:

  • The first field could be ‘-’ for File, d for Directory, l for Link
  • The second, third and fourth fields are permissions. r = read, w = write and x = execute. There are three fields regarding permissions. The first field shows the permissions the owner has over the file, the second field shows the permissions the group has over the file and the third field shows the permissions everybody else has over the file.
  • The fifth field specifies the number of links or directories inside this directory.
  • The sixth field is the user that owns the file, or directory.
  • The seventh field is te group that the file belongs to, and any user in that group will have the permissions given in the third field over that file.
  • The eighth field is the size in bytes.
  • The ninth field is the date of the last modification to the file.
  • And the tenth field is the name of the file



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store